Collapsing sponges: Post-quantum security of the sponge construction

Transcription

1 Collapsing sponges: Post-quantum security of the sponge construction Dominique Unruh University of Tartu March 27, 2017 Abstract We investigate the post-quantum security of hash functions based on the sponge construction. A crucial property for hash functions in the post-quantum setting is the collapsing property (a strengthening of collision-resistance). We show that the sponge construction is collapsing (and in consequence quantum collision-resistant) under suitable assumptions about the underlying block function. In particular, if the block function is a random function or a (non-invertible) random permutation, the sponge construction is collapsing. Contents 1 Introduction 1 2 Preliminaries 3 3 Collapsing hash functions Definitions for concrete security 6 4 Sponge construction 8 5 Sponges are collapsing Using random oracles or random permutations Concrete security results Using random oracles or random permutations A Technical lemmas 22 Index 22 Symbol index 22 References 23 1 Introduction Hash functions are one of the central primitives in cryptography. One of the most important properties of a hash function H is collision-resistance. That is, it is infeasible to find x x with H(x) = H(x ). Intuitively, collision-resistance guarantees some kind of computational injectivity given H(x), the value x is effectively determined. Of course, information-theoretically, x is not determined, but in many situations, we can treat the preimage x as unique, because we will never see another value with the same hash. For example, collision-resistant hashes can be used to extend the message space of signature schemes (by signing the hash of the message), or to create a commitment schemes (e.g., sending H(x r) for random r commits us to x; the sender cannot change his mind about x because he cannot find another preimage). In the post-quantum setting, 1 however, it was shown by Unruh [Unr16a] that collisionresistance is weaker than expected: For example, the commitment scheme sketched in the previous paragraph is not binding: it is possible for an attacker to send a hash h, then to be 1 We mean a situation in which the protocols and primitives that are studied are classical, but the attacker can perform quantum computations. 1

2 given a value x, and then to send a random value r such that h = H(x r), thus opening the commitment to any desired value even if H is collision-resistant against quantum adversaries. 2 This contradicts the intuitive requirement that H(x) determines x. Fortunately, Unruh [Unr16a] also presented an strengthened security definition for postquantum secure hash functions: collapsing hash functions. Roughly speaking, a hash function is collapsing if, given a superposition of values m, measuring H(m) has the same effect as measuring m (at least from the point of view of a computationally limited observer). Collapsing hash functions serve as a drop-in replacement for collision-resistant ones in the post-quantum setting: Unruh showed that several natural classical commitment schemes (namely the scheme sketched above, and the statistically-hiding schemes from [HM96]) become post-quantum secure when using a collapsing hash function instead of a collision-resistant one. (And the collapsing property also directly implies collision-resistance.) In light of these results, it is desirable to find hash functions that are collapsing. Unruh [Unr16a] showed that the random oracle is collapsing. (That is, a hash function H(x) := O(x) is collapsing when O is a random oracle.) However, this has little relevance for real-world hash functions: A practical hash function is typically constructed by iteratively applying some elementary building block (e.g., a compression function ) in order to hash large messages. So even if we are willing to model the elementary building block as a random oracle, the overall hash function construction should arguably not be modeled as a random oracle. 3 For hash functions based on the Merkle-Damgård (MD) construction (such as SHA2 [Nat15]), Unruh [Unr16b] showed: If the compression function is collapsing, so is the hash function resulting from the MD construction. In particular, if we model the compression function as a random oracle (as is commonly done in the analysis of practical hash functions), we have that hash functions based on the MD construction are collapsing (and thus suitable for use in a post-quantum setting). However, not all hash functions are constructed using MD. Another popular construction is the sponge construction [Ber+07], underlying for example the current international hash function standard SHA3 [NIS14], but also other hash functions such as Quark [Aum+10], Photon [GPP11], Spongent [Bog+13], and Gluon [Ber+12]. The sponge construction builds a hash function H from a block function 4 f. In the classical setting, we know that the sponge construction is collision-resistant if the block function f is modeled as a random oracle, or a random permutation, or an invertible random permutation [Ber+08]. 5 However, their proof does not carry over to the post-quantum setting: their proof relies on the fact that queries performed by the adversary to the block function are classical (i.e., not in superposition between different values). As first argued in [Bon+11], random oracles and related objects should be modeled as functions that can be queried in superposition of different inputs. Thus, we do not know whether the sponge construction (and thus hash functions like SHA3) is collapsing (or at least collision-resistant). In the present paper we tackle the question whether the sponge construction is collapsing. We show: If the block function f is collapsing when restricted to the left and right half of its output, respectively, and if it is hard to find a zero-preimage of f (restricted to the right half of its output), then the sponge construction is collapsing. 2 More precisely, [Unr16a] shows that relative to certain oracles, a collision-resistant hash function exists that allows such attacks. In particular, this means that there cannot be a relativizing proof that the commitment scheme is binding assuming a collision-resistant hash function. 3 For example, hash functions using the Merkle-Damgård construction are not well modeled as a random oracle. If we use MAC (k, m) := H(k m) as a message authentication code (MAC) with key k, we have that MAC is secure (unforgeable) when H is a random oracle, but easily broken when H is a hash function built using the Merkle-Damgård construction. 4 It is not called a compression function, since the domain and range of f are identical. 5 [Ber+08] shows that the sponge construction is indifferentiable from a random oracle in the classical setting. Together with the fact that the random oracle is collision-resistant, collision-resistance of the sponge construction follows. 2

3 If the block function f is a random oracle or a random permutation, then the sponge construction is collapsing. It should be stressed that we do not show that the sponge construction is collapsing (or even collision-resistant) if the block function f is an efficiently invertible random permutation. This means that the present result cannot be directly used to show the security of, say, SHA3, because SHA3 uses an efficiently invertible permutation as block function. Our results apply to hash functions where the block function is not (efficiently) invertible, e.g., Gluon [Ber+12]. But we believe that our results are also a first step towards understanding the sponge construction for invertible block functions, and towards showing the post-quantum security of SHA3. Open questions / future work. avenues for future research: Beyond the results of this paper, there are a few natural Efficiently invertible permutations. Many hash functions (e.g., SHA3) use the sponge construction with an invertible permutation. Our results do not apply to those. How can we prove the collapsing property (or at least quantum collision-resistance) in that setting? Other hash functions. [Unr16b] has covered hash functions based on the Merkle-Damgård construction, we have covered hash functions based on the sponge construction. Which other common constructions of hash functions are collapsing? Tightness of the results. Are our concrete security bounds tight? If not, can they be improved? In particular, it would be interesting to improve our analysis of the squeezing phase (i.e., the second half of the sponge construction) since our analysis only takes into account the first output block and thus probably looses a lot in terms of concrete security in the case of hash functions with long output. Other properties of the sponge construction. Classically, we get many properties of the sponge construction for free from the fact that the sponge construction is indifferentiable from a random oracle [Ber+08]. For example, it immediately follows that the sponge construction is a pseudo-random function (PRF). Can we show those properties in the quantum setting, too? E.g., is the sponge construction a PRF secure against quantum adversaries? Is it secure even against quantum adversaries that have superposition access to the PRF (as in [Zha12])? Organization. In Section 2 ( Preliminaries ) we recall some standard notation and definitions. In Section 3 ( Collapsing hash functions ), we recall the definition of collapsing hash functions and some important properties of that definition. In Section 4 ( Sponge construction ) we recall the sponge construction. In Section 5 ( Sponges are collapsing ), we present our main result that the sponge construction is collapsing. In Section 5.1 ( Using random oracles or random permutations ) we specialize this result to the case where the block function is a random function or a random permutation. In Section 6 ( Concrete security results ), we state and prove the results from Section 5 with concrete security bounds. 2 Preliminaries x y denotes the bitwise XOR of bitstrings x and y. Let range f denote the range of the function f, and im f its image (i.e., im f contains all values that the function f actually attains, while range f refers to the set into which f maps according to the declaration of f). By {0, 1} n we denote the set of all bitstrings of length n. By ({0, 1} n ) + we denote the set of non-empty bitstrings that consists of blocks of length n. (I.e., bitstrings of length kn for some k 1.) m denotes the length of a bitstring, but in abuse of notation, for elements 3

4 m ({0, 1} n ) +, m denotes the number of n-bit blocks in m. (But for sets M, M is the cardinality of M.) We call a real-valued function f 0 negligible iff for any polynomial p > 0, we have f < 1/p eventually. We call f 1 overwhelming if 1 f is negligible. A quantum state Ψ is an element of the complex Hilbert space C M for some set M. (E.g., M could be the set of all bitstrings, or of fixed length bit strings, or {0, 1}.) We assume a canonical orthonormal basis of that Hilbert space, called the computational basis, its elements are written m for m M. Operations on quantum states are represented by unitary operations U on the quantum states, or by projective measurements. A projective measurement is specified by a family of projectors {P i } that are mutually orthogonal and sum up to 1, one projector P i for each possibly measurement outcome i. For any quantum state Ψ, let Ψ denote the adjoint of Ψ. In particular, Ψ Ψ denotes the orthogonal projector onto Ψ. We assume familiarity with these concepts throughout the technical parts of this paper. For an introduction, we refer the reader to a textbook on quantum computation or quantum information such as [NC10]. For algorithms A (classical or quantum), we use the notation (a, b, c) A(d, e, f) to denote that A is executed with inputs d, e, f, and the output triple is assigned to the variables a, b, c. We use capital letters to denote quantum registers, i.e., subsystems of the quantum state of the whole system. E.g., (y, M ) A(x, M) means the algorithm A has classical input x, and gets the quantum register M, and it outputs classical output y and a new quantum register M (the register M is consumed by A). By x $ M we mean that x is chosen uniformly at random from the set M. If M denotes a projective measurement, we write x M(M) to denote that x is assigned the outcome of measuring the register M with M. Note that in this case, the register M is not discarded, instead it contains the post-measurement state. We write A O when an algorithm A has access to the function O as an oracle. That is, A O can evaluate the unitary U O : x, y x, y O(x) in a single step. In results with asymptotic statements (referring, e.g., to quantum-polynomial-time adversaries), we assume a security parameter that is implicitly provided to all adversaries, and that all parameters and functions may implicitly depend on. A game is a sequence of steps (such as (y, M ) A(x, M) or x $ M or x M(M)). We write Pr[C : G] to denote the probability that the condition C holds after executing the steps in game G. (E.g., Pr[b = 1 : b A()] denote the probability that the bit b returned by A() is 1.) Definition 1 (Zero-preimage-resistance) We call a function f O : {0, 1} d {0, 1} e zeropreimage-resistant iff for any quantum-polynomial-time adversary A O, we have that Pr[f O (x) = 0 e : x A O ()] is negligible. 3 Collapsing hash functions In this section, we recall the notion of collapsing hash functions H from [Unr16a]. We describe both the underlying intuition, as well as the formal definitions. A hash function is a function H O : X Y for some range X and domain Y. (Typically, Y consists of fixed length bitstrings, and X consists of fixed length bitstrings or {0, 1}.) H can be depend on an oracle O. (Typically, O will be a random function, a random function, or simply be missing if we are in the standard model. Unless specified otherwise, we make no assumptions about the distribution of O.) As mentioned in the introduction, intuitively, we wish that H(m) uniquely identifies m in some sense. In the classical setting, this naturally leads to the requirement that it is hard to find m m with H(m) = H(m ). Then we can treat H(m) as if it had only a single preimage (even though, of course, a compressing H will have many preimages, we just cannot find them). In the quantum setting, there is another interpretation of the requirement that H(m) identifies m. Namely, if we are given a register M that contains a superposition of many values m, then measuring H(m) on that register should intuitively fully determine m. That 4

5 A S M M B S b A M B b h m h (a) Game 1 (b) Game 2 Figure 1: Games from the definition of collapsing hash functions. M represents a measurement in the computational basis. (A, B) is assumed to satisfy the property that M always returns m with H(m) = h. We require that the probability of b = 1 is negligibly close in both games. is, the effect on the register M should be the same, no matter whether we measure just the hash H(m) or the whole message m. One can see that for any compressing function H, it is impossible that measuring H(m) and m has information-theoretically the same effect on the state. 6 However, what we can hope that for a computationally limited adversary, the two situations are indistinguishable. In other words, we require that no quantum-polynomial-time adversary can distinguish whether we measure H(m) or m. This property is then useful in proofs, because we can replace H(m)-measurements by m-measurements and vice versa. We can slightly simplify this condition if we require that the register M already contains a superposition of values m that all have the same hash H(m). In this case, measuring H(m) has no effect on the state, so we can state the requirement as: If M contains a superposition of messages m with the same H(m) = h, then no quantum-polynomial-time adversary can distinguish whether we measure M in the computational basis, or whether we do not measure it at all. Or slightly more formally: We let the adversary A produce a register M and a hash value h (subject to the promise that measuring M would lead to an m with H(m) = h). The adversary additionally keeps an internal state in register S. Then we either measure M in the computational basis (Game 1, depicted in Figure 1 (a)), or we do not perform any such measurement (Game 2, depicted in Figure 1 (b)). Finally, we give registers S (the internal state) and M (the potentially measured message register) to the adversary s second part B. We call H collapsing if no quantum-polynomial-time (A, B) can distinguish Game 1 and Game 2. This is formalized by the following definition: Definition 2 (Collapsing [Unr16a]) For algorithms A, B, consider the following games: Game 1 : (S, M, h) A O (), m M(M), b B O (S, M) Game 2 : (S, M, h) A O (), b B O (S, M) Here S, M are quantum registers. M(M) is a measurement of M in the computational basis. For a set M, we call an adversary (A, B) valid on M for H O iff Pr[H O (m) = h m M] = 1 when we run (S, M, h) A O () and measure M in the computational basis as m. If we omit on M, we assume M to be the domain of H O. A function H is collapsing (on M) iff for any quantum-polynomial-time adversary (A, B) that is valid for H O (on M), Pr[b = 1 : Game 1 ] Pr[b = 1 : Game 2 ] is negligible. The definition follows [Unr16a], except that we made the oracle O explicit (which was implicit in [Unr16a]). 6 E.g., M could contain m 2 m m. Then measuring H(m) will lead to the state 1 m which is almost orthogonal for large H 1 ({m}) H 1 ({m}) to the state m we get m s.t. H(m)=h when measuring m. 5

6 Miscellaneous facts. The following properties of collapsing hash functions will be useful throughout this paper. They are immediate consequences of their concrete-security variants in Section 3.1 below. Lemma 3 If H O is injective, then H O is collapsing. Theorem 4 If O : {0, 1} e {0, 1} d is a random function with superlogarithmic d, then H O := O is collapsing. Lemma 5 If G O H O is collapsing, and G O is quantum-polynomial-time computable, then H O is collapsing. Lemma 6 If G O and H O are collapsing, and H O is quantum-polynomial-time computable, then G O H O is collapsing. 3.1 Definitions for concrete security Definition 2 allows us to state the results of this paper in asymptotic terms (namely, that the sponge construction is collapsing). However, when stating concrete security results, one can achieve tighter results by directly analyzing the security of t parallel evaluations of the hash function (see [Unr16b]). This leads to the following definition: Definition 7 (Collapsing concrete security) For algorithms A, B, and an integer t, consider the following games: Game 1 : (S, M 1,..., M t, h 1,..., h t ) A O (), m 1 M(M 1 ),..., m t M(M t ), b B O (S, M 1,..., M t ) Game 2 : (S, M 1,..., M t, h 1,..., h t ) A O (), b B O (S, M 1,..., M t ) Here S, M 1,..., M t are quantum registers. M(M i ) is a measurement of M i in the computational basis. For a set M, we call an adversary (A, B) t-valid on M for H O iff Pr[ i. H O (m i ) = c i m i M] = 1 when we run (S, M 1,..., M t, h 1,..., h t ) A O () and measure all M i in the computational basis as m i. If we omit on M, we assume M to be the domain of H O. We call Pr[b = 1 : Game 1 ] Pr[b = 1 : Game 2 ] the collapsing-advantage of (A, B) against H. This definition is from [Unr16b], with the only difference that now adversaries and hash functions may depend on an oracle O, instead of depending on a public parameter. The two definitions of collapsing hash functions are equivalent in the following sense: Lemma 8 ([Unr16b]) H O is collapsing (according to Definition 2) on M iff for any quantumpolynomial-time (A O, B O ) that is t-valid on M, the collapsing-advantage (according to Definition 7) is negligible. Miscellaneous facts. We restate the facts from Section 3, with concrete security bounds. Unless specified otherwise, these facts were proven in [Unr16b] (in a setting without oracle O, but all proofs from [Unr16b] relativize). All results in this paper hold both if runtime is measured in computation steps, and when time is measured in the number oracle queries. 6

7 Lemma 9 If H O is injective, and (A O, B O ) is a t-valid adversary with collapsing-advantage ε against H O, then ε = 0. Theorem 10 If O : {0, 1} e {0, 1} d is a random function, and (A O, B O ) is t-valid for O and has collapsing-advantage ε, then ε O(tq 3/2 2 d/2 ). This was shown for the case t = 1 in [Unr16a]. For general t, this theorem then follows by using the fact that the collapsing property parallel composes (fully analogous to the parallel composition of collapse-binding commitments shown in [Unr16a]). Lemma 11 Fix oracle functions G O and H O. Let (A, B ) be a t-valid adversary against some function H O with runtime τ and collapsing-advantage ε against H O. Then there is an adversary (A, B ) that is t-valid for G O H O, has runtime τ + tτ G, and collapsing-advantage ε against G O H O. Here τ G is the time required for computing G O. Proof. ( Let A perform the following steps: Run (S, M 1,..., M t, h 1,..., h t ) A O (), and return S, M1,..., M t, G O (h 1 ),..., G O (h t ) ). Let B be identical to B. Since (A, B) is is t-valid for H O, the t-validity of (A, B ) for G O H O follows directly from the construction of (A, B ) and the definition of t-validity. The runtime of (A, B ) is τ + tτ G, since there are t additional calls to G O compared with (A, B). Since (A, B ) differs from (A, B) only in the classical outputs h 1,..., h t, and since the games Game 1 and Game 2 from Definition 7 do not use these classical outputs, we have that Pr[b = 1 : Game 1 using A, B] = Pr[b = 1 : Game 1 using A, B ] and Pr[b = 1 : Game 2 using A, B] = Pr[b = 1 : Game 2 using A, B ]. Thus (A, B ) has collapsing-advantage Pr[b = 1 : Game 1 using A, B ] Pr[b = 1 : Game 2 using A, B ] = Pr[b = 1 : Game 1 using A, B] Pr[b = 1 : Game 2 using A, B] = ε. Lemma 12 Fix oracle functions G O and H O. If there is a τ-time adversary (A, B), t-valid for G O H O, with collapsing-advantage ε against G O H O, then there are: a (τ + O(tτ H ))-time adversary (A, B ), t-valid for G O on im H O, with some collapsingadvantage ε against G O, a (τ + O(tτ H ))-time adversary (A, B ), t-valid for H O, with some collapsing-advantage ε against H O. such that ε ε + ε. Here τ H is an upper bound on the time for evaluating H O (on the messages that A outputs on the registers M j ). In [Unr16b], this lemma had an additional O(tl mid ) in the runtime of (A, B ) where l mid denotes the length of the output of H O. Since this is always dominated by O(tτ H ), we omit this term here. 7

8 m 1 m 2 m 3 m 4 h 1 h 2 h 3 0 r 0 c f f f f f f Absorbing phase S in Squeezing phase S out Figure 2: The sponge construction S with a four block input m 1 m 2 m 3 m4 and a three block output h 1 h 2 h 3. The application of the padding function is not depicted (we assume m 1 m 2 m 3 m 4 = pad(m)). 4 Sponge construction In this section, we review the sponge construction introduced by [Ber+07]. The sponge construction has two internal parameters r, c called the rate and the capacity, respectively. The internal state has r + c bits. We refer to the first part of the state as the left state, and to the second part of the state as the right state. Underlying the sponge construction is a block function f that inputs and outputs r + c bits. To hash a message m, the message is first padded to a non-zero multiple of the rate r. That is, we use some injective padding function pad to get k 1 message blocks m 1... m k = pad(m). 7 Then we XOR m 1 to the left state, apply f to the (whole) state, XOR m 2 to the left state, apply f to the state,..., apply f to the state, XOR m k to the left state. The steps performed so far are referred to as the absorbing phase (denoted in this paper with S in ). Now we start with the squeezing phase S out : We apply apply f to the state, read the left state as h 1, apply f to the state, read the left state as h 2,.... We continue to do so until h 1 h 2... contains n bits (where n is a parameter specifying the desired output length), and return the first n bits of h 1 h The whole process described here (padding, absorbing phase, squeezing phase) is the sponge construction, referred to as S in this paper. The sponge construction is illustrated in Figure 2 for the special case of k = 4 and n = 3r (four input blocks and three output blocks). The following definition makes the above explanation precise: Definition 13 (Sponge construction) Fix integers c > 0 (the capacity) and r > 0 (the rate), and n > 0 (the output length). Fix f : {0, 1} r+c {0, 1} r+c (the block function) and pad : {0, 1} ({0, 1} r ) +. For m 1,..., m k {0, 1} r, let (We call S in the absorbing phase.) For s {0, 1} r+c, let S in c,r,f (m 1... m k ) := f ( S in c,r,f (m 1... m k 1 ) ) (m k 0 c ) S in c,r,f (m 1) := m 1 0 c S out c,r,f,n (s) = { s S out c,r,f,n s (f(s)) (n > 0) empty word (n = 0) where s consists of the first min{n, r} bits of f(s). (We call S out the squeezing phase.) Let S c,r,f,pad,n := S out c,r,f,n Sin c,r,f pad. We call S c,r,f,pad,n the sponge construction. Usually, c, r, f, pad, n will be clear from the context. Then we omit them and simply write S in, S out, S. Notation: The sponge construction operates on a state of size r + c, and we will often need to refer to the two halves of that state separately: For any s {0, 1} r+c, let s left denote the first 7 The original construction requires that the last block of pad(m) is non-zero, this is important for other properties than collision-resistance/collapsing. In this work, we do not put any such requirement on pad. We do, however, assume that pad outputs at least one block. 8

9 r bits of s, and let s right refer to the last c bits of s. If f is a function with r + c bit output, then we write f left for the function defined by f left (x) := f(x) left. And f right analogously. In [Ber+08], it was shown that the sponge construction is indifferentiable from a random oracle, assuming that f is a random oracle or an (invertible) random permutation. From this collision-resistance follows. However, the proof from [Ber+08] works only in the classical case. If the adversary has superposition access to f, their proof breaks down because it needs to track on which inputs f has been queried. As far as we know, no results concerning the post-quantum security of the sponge constructions are known (besides what we show in this paper). 5 Sponges are collapsing In this section, we show that the sponge constrution is collapsing, under certain assumptions about the block function f. We only state the qualitative results here, more precise statements with concrete security bounds will be given in Section 6. The results in this section hold for all distributions of the oracle O (including the case that there is no oracle O). The specific cases of random functions and random permutations are covered in Section 5.1. Since all adversaries (A, B, A, B,... ) and the block function f have oracle access to O throughout the section, we omit the oracle O from our notation for increased readability (i.e., we write A, f instead of A O, f O ). Throughout this section, we assume that f O can be computed in quantum-polynomial-time (given oracle access to O). We will analyze the sponge construction in three parts. First, we analyze the security of the absorbing phase S in, then we analyze the security of the squeezing phase S out, and finally we conclude security of the whole sponge S, consisting of padding, absorbing, and squeezing. First, we analyze the absorbing phase. For the absorbing phase (without padding or squeezing) to be collapsing, we will need two properties of f right : f right is collapsing. This is the main property required from the block function f. If we would restrict S in to fixed length messages, then we could show the collapsing property of S in based on that property alone. f right is zero-preimage-resistant (see Definition 1). To see why we need this property, consider a block function f where the adversary can find, e.g., x, y {0, 1} r with f(x 0 c ) = y 0 c. Then we can see that S in (x y) = 0 c+r, and thus S in (x y z) = z 0 c = S in (z) for any z {0, 1} r. Thus S in would not be collision-resistant, and in particular not collapsing. We state the result formally: Lemma 14 (Absorbing phase is collapsing) Assume that f right is collapsing, and that f right is zero-preimage-resistant. Then S in is collapsing. Note that this lemma does not explicitly state anything about the size of r and c. But of course, f right can only be collapsing and zero-preimage-resistant is the capacity c is superlogarithmic. We only give a detailed proof sketch for Lemma 14. Since Lemma 14 is an immediate corollary of its concrete security variant Lemma 22, we give the full proof directly for Lemma 22 in Section 6 below. Proof sketch. Consider a quantum-polynomial-time adversary (A, B) where A outputs a hash h, and a superposition of messages m on the register M, and B expects M back and outputs a guess b. We need to show that the two games in Definition 2 (see also Figure 1) are indistinguishable, i.e., the probability of b = 1 is approximately the same in both games. Since the domain of S in is ({0, 1} r ) +, we can assume that (A, B) is valid on ({0, 1} r ) +, i.e., M contains a superposition of messages m ({0, 1} r ) + with S in (m) = h. To show that the two games are indistinguishable, we start with Game 2 from Definition 2 (Figure 1 (b)) and transform it step by step into Game 1. 9

10 0 r 0 c m 1 m m s right m m 2 m 3 m ( m 1) m ( m 2) s left m f s left ( m 1) f s right ( m 2) s right ( m 1)... s left ( m 2)... m m k m (k+1) s right (k+1) m m k+1 m m k+2 m k m (k 1) s left (k+1) f s right k s left k f s right (k 1)... s left (k 1)... m m 2 m 3 s right 3 s left 3 f m m 1 m 2 s right 2 s left 2 f m m m 1 s right 1 s left 1 } h b: Positions where lower wire is 0 c (counting from end) Figure 3: Lemma 14. Values occurring in the computation of h = S in (m), using the notation from the proof sketch of Game 1 (M, h) A(). b B(M). (Same as Game 2 from Definition 2.) Note that we keep the register S (the state of (A, B)) implicit in this proof sketch, to improve readability. Now, in each successive game, we measure more and more information about the message m contained in M, until in the final game, we measure m completely (like in Game 1 from Definition 2). In order to refer to the different values derived from m that we measure, we will need to use a lot of notation to refer to various intermediate values occurring in the computation of S in (m). To make it easier to follow the proof, all relevant notation has been depicted in Figure 3, which shows an evaluation of S in (m). Since (A, B) is valid, we know that S in (m) = h where h is the classical output of A. That is, h = S in (m) has already been measured. 8 In the computation of S in (m), let s 2 refer to the state that goes into the last application of f (see Figure 3), and let m 1 refer to the last block of the input message m (i.e., m 1 = m m ). Then h = f(s 2 ) (m 1 0 c ) by definition of S in, and thus h right = f right (s 2 ). Now since by assumption, f right is collapsing, we can reason: Since f right is collapsing, and we have measured the output h right of f right (s 2 ), it follows that we can additionally measure s 2, and the adversary B will not be able to notice the difference. That is, we get the following game with only negligibly different Pr[b = 1]: Game 2 attempt (M, h) A(). Measure s 2. b B(M). This would indeed work, if we knew that m 2. However, it could be that m = 1. In this case, we have s 2 = (i.e., s 2 does not occur in the computation). Worse, if M contains a superposition of messages m, some of length m = 1, others of length m 2, then measuring s 2 will reveal whether m 2 or m = 1. We cannot guarantee that this measurement will not change the quantum state of M in a noticeable way. Then Pr[b = 1 : Game 1] Pr[b = 1 : Game 2 attempt ]. The collapsing property of f right does not help here, because to apply that property, we need to know that h right is indeed the output of f right (which is not the case when m = 1). A similar problem also occurs in later games: Let s k denote the k-th state from the end, with h being s 1, the input to the last f being s 2, the input to the previous f being s 3, etc., see Figure 3. (We count backwards because this will make notation easier, since our games will start measuring states from the end.) When we have measured some right state s right, we want k 8 In this proof sketch, when we use the expression measure a where a is some expression depending on the message m (e.g., a could be S in (m)), then we mean that we measure the register M, but not with a complete measurement, but with a measurement that gives outcome a (e.g., S in (m)) when M contains m. Formally, that measurement would consist of the projectors P i defined by P i := m s.t. a=i m m. E.g., if we measure Sin (m), the projectors are P i := m s.t. S in (m)=i i i. 10

11 to argue that we can measure the previous state s (k+1) because s right k = f right (s (k+1) ). Again, this will not be possible because we do not know whether s k is not already the first state of the computation of S in (m). (That is, we do not know whether m = k.) To get around this problem, we need a mechanism to decide whether a state s k is the initial state, i.e., whether s k is s m. How do we do that? By construction of S in, the initial state s m satisfies s right m = 0c. Thus, we might try to decide whether s k is the initial state by checking whether s right k = 0 c. For example, if we want to measure s 2, we do so only when h right = s right 1 0 c. This approach is basically sound, but what happens when a state in the middle has s right k = 0 c? We would be mislead, and the proof would break down. To avoid this problem, we will first measure at which positions this bad case happens. Let b be the set of all indices k < m such that s right k = 0 c. (That is, the indices of all states in which we observe a 0 c in the right part, but which are not the initial state.) Once we know the set b, then we can decide whether s k is the initial state or not. Namely, s k is the initial state (i.e., k = m ) iff s right k = 0 c and k / b. So the first step in our sequence of games is to measure the set b: Game 2 (M, h) A(). Measure b. b B(M). We assumed that f right is zero-preimage-resistant. This implies that with overwhelming probability, s right k = f right (s (k+1) ) 0 c for all k < m. Thus b = with overwhelming probability. Therefore measuring b has only negligible effect on the quantum state. Thus Pr[Game 1] Pr[Game 2]. (We use the shorthand Pr[Game 1] for Pr[b = 1 : Game 1]. And denotes a negligible difference.) Now we can proceed with measuring more and more states from the computation of S in (m). First, we measure s 1 : Game 4 1 (M, h) A(). Measure b and s 1. b B(M). (Note: The numbering of games in this proof sketch has gaps so that the game numbers here match the game numbers from the full proof of Lemma 22.) Since s 1 = h by definition, and since h is already measured by A, the additional measurement does not change the quantum state, and we have: Pr[Game 2] = Pr[Game 4 1 ]. Now we add a measurement whether s 2 is defined: Game 5 1 (M, h) A(). Measure b and s 1 and whether s 2 =. 9 b B(M). Given b and s 1 we can already tell whether s 2 =. Namely, s 2 = iff s right 1 = 0 c and 1 / b. Thus measuring whether s 2 = has no effect on the quantum state, and we get Pr[Game 4 1 ] = Pr[Game 5 1 ]. Now, finally, we can do what we already intended to do in Game 2 attempt : We measure s 2, and use the collapsing property of f right to show that this measurement does not noticeably disturb the quantum state: Game 4 2 (M, h) A(). Measure b, and s 1, and whether s 2 =, and s 2. b B(M). 9 Measuring whether s 2 = means a measurement on M defined by projectors P and 1 P where P := m s.t. s 2 = m m. 11

12 In case that we measured that s 2 =, measuring s 2 in Game 4 2 has no effect on the quantum state (since we know that the outcome will be ). And in case that we measured that s 2, we know that s right 1 = f right (s 2 ) (as already discussed above), and thus measuring s 2 can be noticed with at most noticeable probability by a quantum-polynomial-time adversary. Thus Pr[Game 5 1 ] Pr[Game 4 2 ]. And then we continue by adding a measurement whether s 3 : Game 5 2 (M, h) A(). Measure b, and s 1, and whether s 2 =, and s 2, and whether s 3 =. b B(M). Since s 3 = iff s 2 = or s right 2 = 0 c and 2 / b, measuring whether s 3 = holds has no effect on the quantum state. Thus we get And then we measure s 3 : Pr[Game 4 2 ] = Pr[Game 5 2 ]. Game 4 3 (M, h) A(). Measure b, and s 1, and whether s 2 =, and s 2, and whether s 3 =, and s 3. b B(M). Using that f right is collapsing, we get Pr[Game 5 2 ] Pr[Game 4 3 ]. We continue in this way, alternatively adding a measurement whether the next state s k =, and then adding a measurement of s k, each time using the collapsing property of f right. After l such steps, where l is a polynomial upper bound on the length of m, we get the following game: Game 4 l (M, h) A(). Measure b, measure whether s 1,..., s l =, measure s 1,..., s l. b B(M). Since in each of the steps, we accrue only a negligible distinguishing probability between consecutive games, we get: Pr[Game 4 1 ] Pr[Game 4 l ]. (Formally, this argument is not correct, because the sum of polynomially many possibly different negligible functions is not necessarily negligible. However, this is easily fixed by bounding all differences Pr[Game 5 k ] Pr[Game 4 k+1 ] simultaneously using a reduction that randomly chooses k (a standard technique). Details are given in the full proof of Lemma 22.) In Game 4 l, we measure s 1,..., s l. From these, we can compute m (since s k = for k > m ). Furthermore, each message block m k (the k-th message block from the end) can be computed as follows: We have s k = f(s (k+1) ) (m k 0 c ), and thus m k = s left k f(s (k+1)) left. Except for m m, which can be computed as m m = s left m. (Cf. Figure 3.) Finally, we can compute m as m = m m... m 1. Since we can compute m from the measurements performed in Game 4 l, it follows that those measurements are equivalent (in their effect on the quantum state) to a measurement of m. Thus for the following final game: Pr[Game 4 l ] = Pr[Game 6] Game 6 (M, h) A(). Measure m. b B(M). 12

13 Altogether, we have shown Pr[Game 1] Pr[Game 6]. And Game 1 and Game 6 are identical to the games Game 2 and Game 1 from Definition 2, respectively. Since (A, B) was an arbitrary quantum-polynomial-time adversary that is valid for S in, it follows by Definition 2 that S in is collapsing. Next, we show that the squeezing phase is collapsing. consequence of the fact that f left is collapsing. This one is a relatively trivial Lemma 15 (Squeezing phase is collapsing) Assume that n r (i.e., the requested output length of S out is greater-equal to the rate). Assume that f left is collapsing. Then S out is collapsing. A concrete security variant of this lemma is given in Lemma 23. Proof. Let G(x) return the first r bits of x. If n r, then G(S out (s)) = f left (s). Thus the lemma follows directly from Lemma 5. And finally we get that the sponge construction as a whole is collapsing. This is a simple corollary from the fact that both the absorbing and the squeezing phase are collapsing. Theorem 16 (Sponge construction is collapsing) Assume that n r (i.e., the requested output length of S is greater-equal to the rate). Assume that f left and f right are collapsing, and that f right is zero-preimage-resistant. Assume that pad is injective. Then S is collapsing. A concrete security variant of this theorem is given in Theorem 24. Proof. By Lemma 14, S in is collapsing, and by Lemma 15, S out is collapsing. Then by Lemma 6, S out S in is collapsing. Since pad is injective, by Lemma 3, pad is collapsing. Thus by Lemma 6, S = (S out S in ) pad is collapsing. 5.1 Using random oracles or random permutations In the preceding section, we have reduced the security of the sponge construction S to certain properties of the block function f. In many cases, however, a hash function is designed by constructing a block function heuristically, and we cannot say what specific security properties the block function has. Instead, we model the block function as, e.g., a random function or a random permutation. The present section specifies the security of the sponge construction under those circumstances. (Concrete security statements are deferred to Section 6.1.) We start by deriving the required properties of a random block function: Lemma 17 If O : {0, 1} r+c {0, 1} r+c is a random function, and f O (x) := O(x), and r, c are superlogarithmic, then f left and f right are collapsing. This is an immediate corollary of its concrete security variant Lemma 25, for which we give a full proof in Section 6.1. Proof sketch. By Theorem 10, a random function (with superlogarithmic output length) is collapsing. Since f left = O left has superlogarithmic output length r, and f left = O left is a uniformly random function if O is, it follows that f left is collapsing. (A slight technicality is that the adversary does not only get access to f left = O left, but additionally to O right, but it is easy to see that this does not help him since O right is distributed independently from O left.) Analogously we get that f right is collapsing. Lemma 18 If O : {0, 1} r+c {0, 1} r+c is a random function, and f O (x) := O(x), and c is superlogarithmic, then f right is zero-preimage-resistant. 13

14 This is an immediate corollary of its concrete security variant Lemma 18, for which we give a full proof in Section 6.1. It is a simple consequence of the hardness of quantum searching in unstructured data [Boy+98]. With these two lemmas, security of the sponge using a random block function follows: Theorem 19 If O : {0, 1} r+c {0, 1} r+c is a random function, and f O (x) := O(x), and r, c are superlogarithmic, then S is collapsing. A concrete security variant (with security bounds in terms of the number of oracle-queries) is given in Theorem 27. Proof. Immediate from Theorem 16, using Lemma 17 and Lemma 18 to show that its preconditions are satisfied. And since random functions and random permutations are known to be indistinguishable, we readily derive the security of the sponge construction also for block functions that are random permutations. Theorem 20 If O : {0, 1} r+c {0, 1} r+c is a random permutation, and f O (x) := O(x), and r, c are superlogarithmic, then S is collapsing. A concrete security variant (with security bounds in terms of the number of oracle-queries) is given in Theorem 28. Proof. Zhandry [Zha15] shows that no adversary making a polynomial number of queries can distinguish a random permutation from a random function with more than negligible probability (assuming that the output length is superlogarithmic). Thus the advantage of the adversary attacking the collapsing property of S when O is a random permutation can only be negligibly higher than the advantage of the same adversary attacking the collapsing property of S when O is a random function. The latter advantage is negligible by Theorem 19, thus the former advantage is negligible, too. Hence S is collapsing when O is a random permutation. On invertible permutations. Theorem 28 tells us that the sponge construction is collapsing if the block function f is a random permutation. There is a caveat, though: If f is a permutation that we can efficiently invert, the theorem does not tell us anything. More specifically, if f is a random permutation, and the adversary has access to O = (f, f 1 ), 10 then Theorem 28 does not apply. In fact, if f is efficiently invertible, we cannot apply our main result Theorem 16 at all: In that case f right is not zero-preimage-resistant (to find a zero-preimage, we simply invoke f 1 (y 0 c ) for an arbitrary y {0, 1} r ). And f right is also not collapsing: We get a collision of f right by computing x := f 1 (y z) and x := f 1 (y z) for arbitrary y, y, z with y y. So f right is not collision-resistant. And since collapsing functions are collision-resistant [Unr16a], f right is not collapsing. Similarly, f left is not collapsing, either. So, none of the preconditions of Theorem 16 are satisfied, and we cannot derive that the sponge construction is collapsing (for efficiently invertible f). Does that mean that the sponge construction is not collapsing in that setting? No. At least it is not obvious how one would use f 1 to break the collapsing property. For example, if we try to find a two-block collision (m 1 m 2, m 1 m 2 ) for S, then we need that f(m 1 0 c ) m 2 0 c = f(m 1 0c ) m 2 0c. How can we solve this equation by using f 1? Unclear. For other kinds of collisions that we could think of, we fail similarly. In fact, we conjecture that the sponge construction is still collapsing in this setting: 10 Formally, we mean by O = (f, f 1 ): O(0, ) is a random permutation, O(1, ) is its inverse, and f(x) := O(0, x). 14

15 Conjecture 21 If O : {0, 1} {0, 1} r+c {0, 1} r+c is an invertible random permutation (see footnote 10), and f O (x) := O(0, x), and r, c are superlogarithmic, then S is collapsing. Showing this conjecture is quite important because it will give evidence for the post-quantum security of SHA3. (Only in the idealized invertible random permutation model. But then, classically, we also have evidence for the collision-resistance of the sponge construction only in that idealized model [Ber+08].) 6 Concrete security results In this section, we prove the concrete security variants of the results from Section 5. The proofs follow the lines sketched in Section 5, except that we need to be more explicit about the adversaries constructed during the reductions. The reader interested only in the qualitative fact that the sponge construction is secure, but not in the precise bounds, can safely skip this section. As in Section 5, we omit O from A O, f O, etc. Lemma 22 Let (A, B) be a τ-time adversary, t-valid against S on ({0, 1} r ) +, with collapsingadvantage ε. Assume that A outputs messages of length at most lr bits. Then there are: a (τ + tlτ f + O(tlc))-time adversary A that finds a zero-preimage 11 of f right with probability ε, and a ( τ + O(lτ f ) ) -time adversary (A, B ), t-valid against f right, with collapsing-advantage ε such that ε ε + (l 1)ε. Here τ f is the time required a single classical invocation of f. If time is measured in O-queries (instead of computation steps), the term O(tlc) in the runtime of A can be omitted. Proof. We prove this lemma using a sequence of games. The first game is identical to Game 2 from Definition 7. Game 1 (S, M 1,..., M t, h 1,..., h t ) A(). b B(S, M 1,..., M t ). To state the second game, we need to introduce some notation. (We recommend the reader to compare with Figure 3. The notation there is slightly different, e.g., we write there s 1 and here more precisely s 1 (m), but the figure can be helpful to get an overview which parts of the message the different values defined below refer to.) For some m ({0, 1} r ) +, we denote by m the number of r-bit blocks in m. (That is, if m has d bits, then m = d/r.) By m i we denote the i-th block of m. We denote by m i the i-th block of m from the end, i.e., m i = m m i+1 and m = m m... m 1. For i = 1,..., m, let s i (m) := S in (m 1,..., m m i+1 ). That is, s i (m) is the i-th state during the evaluation of S in (m), counted from the end. In particular, s 1 (m) = S in (m), and s m (m) = m 1 0 c. (Since we consider only m ({0, 1} r ) +, the border case m = 0 does not occur.) We define s i (m) := for i > m. Let b(m) := {i : s i (m) right = 0 c i < m }. Note that we always have s right m = 0 c by definition, but due to the condition i < m, we never have m b(m). Notice that i b(m) implies that s (i+1) (m) is a zero-preimage of f right. The intuitive meaning of b(m) is that it tells us whether (and where) at some point during the computation of S in (m), there is a state s with s right = 0 c. This is important to know, because 11 By zero-preimage we mean any value x with f right (x) = 0 c. 15

16 later we will interpret such a state as an indication that we have reached the beginning of the computation of S in. b(m) tells us where there are exceptions to this rule. Finally, in the following, for a function f, let M f (M) denote a measurement of the register M that measures f(m) when m is the state of M. More formally, M f (M) consists of the projectors {P i } i range f with P i := m s.t. f(m)=i m m. For example, if f is the identity, then M f (M) is a complete measurement in the computational basis, and if f is a constant function, then M f (M) does not do anything. We write x M f (M) to denote that the outcome of M f (M) is stored in x. Note that all measurements M f commute, even for different functions f. We will use this fact implicitly by treating sequences of measurements as equal when they differ only in their ordering. Game 2 (S, M 1,..., M t, h 1,..., h t ) A(). b j M b (M j ) for j = 1,..., t. b B(S, M 1,..., M t ). That is, compared to Game 1, we additionally measure b(m) for each of the messages m that are in the registers M 1,..., M t. We will need this below in order to decide whether a given message block is the first message block (when working our way backwards through the message). Namely, m i is the beginning of the message m, iff s i (m) right = 0 c and i / b(m). For any game Game X, let Pr[Game X] denote the probability that b = 1 in Game X. (I.e., Pr[Game X] := Pr[b = 1 : Game X].) We will now bound Pr[Game 1] Pr[Game 2]. Let ρ denote the state of S, M 1,..., M t after executing (S, M 1,..., M t, h 1,..., h t ) A(). Let ρ denote the state after additionally performing the measurement b j M b (M j ) for j = 1,..., t. 12 By Lemma 29, the trace distance between ρ and ρ is bounded by ε 0, where 1 ε 0 := Pr[(b 1,..., b t ) = (,..., ) : Game 2]. And ρ and ρ are the state before executing b B(S, M 1,..., M t ) in Game 1 and Game 2, respectively. Thus the probability of b = 1 in these two games can differ at most by the trace distance between ρ and ρ, hence Pr[Game 1 Game 2] ε 0. (1) Since Pr[(b 1,..., b t ) = (,..., ) : Game 2] = 1 ε 0, we have Pr[ j. b j ] = ε 0 in the following game: Game 3 (S, M 1,..., M t, h 1,..., h t ) A(). m j M(M j ) for j = 1,..., t. b j := b(m j ) for j = 1,..., t. h j := Sin (m j ) for j = 1,..., t. By definition of b(m), we have that b(m) implies that s (i+1) (m) is a zero-preimage of f right for some i. Thus, if j. b j in Game 3, then one of the s i (m j ) is a zero-preimage of f right. Thus with probability ε 0, one of the computations Sin (m j ) in Game 3 performs a call ŝ := f(s) such that ŝ right = 0 c. Consider the following algorithm A : It computes (S, M 1,..., M t, h 1,..., h t ) A(), measures m j M(M j ) for j = 1,..., t, and then computes S in (m j ) for j = 1,..., t. If in one of the invocations ŝ := f(s) performed by S in we have ŝ right = 0, A returns s. Then A outputs a zero-preimage of f right with some probability ε ε 0. A has runtime τ + tlτ f + O(tlc). And from (1), we get Pr[Game 1 Game 2] ε. (2) For the next game, we introduce one more function, d i, defined by: d i (m) := 1 if s i (m), and d i (m) := 0 otherwise. Equivalently, d i (m) = 1 iff m i. The next game is a variation of Game 2 and is parametrized by an integer k = 1,..., l. 12 Strictly speaking, these are t measurements M b (M 1),..., M b (M t). However, since the measurements M b (M j) commute, one can see them as a single measurement on M 1,..., M t with outcome b 1,..., b t. 16